From owner-freebsd-security@FreeBSD.ORG Sat Jun 9 15:08:13 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 55B4C106564A for ; Sat, 9 Jun 2012 15:08:13 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id EE0B48FC08 for ; Sat, 9 Jun 2012 15:08:12 +0000 (UTC) Received: by yhgm50 with SMTP id m50so2115875yhg.13 for ; Sat, 09 Jun 2012 08:08:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:content-transfer-encoding :in-reply-to; bh=8uisfQFXv+sCNz/P+mI5UEqcr2Epb/MdsDD3afNt1Ps=; b=YVip9QAlZ+z/ZPoh+BUN4P9NvJKZfdH4R5nPj8j9j+2+ko5wINTT2wos5qWbjN3kC1 EhGV2GZZdbc7No6+7F1GQo5pcjQGfPrqzrFf5G0GtpXh0VSpXq1IZWpcUDLygxFNgP72 1jr9F9e/XgFICQSoJ7s/U0IYzCOp78lnOR78c= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:content-transfer-encoding :in-reply-to:x-gm-message-state; bh=8uisfQFXv+sCNz/P+mI5UEqcr2Epb/MdsDD3afNt1Ps=; b=cWPxpu3Q4UNoTb8hNuEbLbktIpzRgF+qZYj/jdFzxCmca5PYrHAALzoDDBl4y2eS/z 5JM/WBF80uDb9mYy0IqDJfEwZryOiUJ9D8Si+8129Q9oeaeP/Gp708BmGNSTRHTa0e3x EDY7yKjshdiGF4ph1C1tNqXTQwy6lvgcRnnz0jaZyW7TBPflFfE4O+qKVvQ9VSZh51xD hsDpe2U5z4k9jr2KUAkWV4T0HhYeH+t/NXLJvIfxRLmf2zgyEYF9XASDkUF8XwUOL7VD b+kbj3yeYUIFz8MqNy1B95X07+2oGq5jt47jLhxPh1qcyvQfeMPCTOPgSwGx5KKhCPIg nTdQ== Received: by 10.236.191.131 with SMTP id g3mr12465987yhn.59.1339254492363; Sat, 09 Jun 2012 08:08:12 -0700 (PDT) Received: from DataIX.net (75-128-120-86.dhcp.aldl.mi.charter.com. [75.128.120.86]) by mx.google.com with ESMTPS id t11sm15260898anm.5.2012.06.09.08.08.11 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 09 Jun 2012 08:08:11 -0700 (PDT) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q59F89xt079098 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 9 Jun 2012 11:08:09 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Received: (from jh@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q59F87gI079097; Sat, 9 Jun 2012 11:08:07 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Date: Sat, 9 Jun 2012 11:08:07 -0400 From: Jason Hellenthal To: emu Message-ID: <20120609150807.GA68456@DataIX.net> References: <86r4tqotjo.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Gm-Message-State: ALoCoQl6HREmg0Z47emyZyocG8Z4y+EVCvRhH5/ou83QKu7NCU9eHbIHwGTzHcz0RantZWUnDVd8 Cc: freebsd-security@freebsd.org Subject: Re: Default password hash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jun 2012 15:08:13 -0000 On Sat, Jun 09, 2012 at 12:04:25AM -0400, emu wrote: > On 2012-06-09 00:01, Robert Simmons wrote: > > On Fri, Jun 8, 2012 at 9:06 AM, Maxim Khitrov > > wrote: > >> On Fri, Jun 8, 2012 at 8:51 AM, Dag-Erling Smørgrav > >> wrote: > >>> We still have MD5 as our default password hash, even though > >>> known-hash > >>> attacks against MD5 are relatively easy these days.  We've > >>> supported > >>> SHA256 and SHA512 for many years now, so how about making SHA512 > >>> the > >>> default instead of MD5, like on most Linux distributions? > >> > >> If SHA-2 hashes have been supported for many years, why haven't the > >> man pages been updated? login.conf(5) on 9.0-RELEASE still only > >> lists > >> "des", "md5", and "blf". I've been using the latter on my systems. > > > > Yes, I think at least listing all the supported algorithms in the > > login.conf man page is of utmost importance. I've been using > > blowfish > > since it was introduced to FreeBSD over 12 years ago, but I had no > > idea that any other algorithms were possible/available until now. > it was listed with 9.0, change /etc/login.conf from md5 to sha512 and > then cap_mkdb /etc/login.conf and then passwd root/users for effect. as > a previous post im not sure the /etc/auth.conf is necessary. AFAILR auth.conf was being deprecated and there was only one real user of that left to eliminate. Whether that has been eliminated is beyond me as I never tracked it... unimportant. -- - (2^(N-1))